CISOs Call To Ditch The 'Stigma Of Blame' In Cybersecurity

Ditching ‘Humans are the weakest link’

Tom Allen
clock • 2 min read
CISOs Call To Ditch The 'Stigma Of Blame' In Cybersecurity

We talk about the technical side of cyber - can we defend ourselves, our network, our data? How will AI change the game? What new vulnerabilities are the attackers exploiting? - so much that we sometimes forget about the most important part. Or, as one CISO put it: 

"We all talk about people, process, technology trifecta. Many of us overload on the latter two, but don't do enough for the people." 

That was Bronwyn Boyle, CISO at fintech PPRO, speaking during a panel discussion at Computing's Cybersecurity Festival 2024. 

Working in cyber can become "overwhelming" for people in the industry, with an inevitable effect on their mental health – up to and including leaving the sector entirely. It's why Bronwyn is involved with Cybermindz, a group aimed at helping cybersecurity professionals manage the increasing stresses of the job. 

"The number of job openings in cyber is huge, and the number of people who can fill those gaps is small," said Sam Woodcock, senior director of cloud strategy and enablement at 11:11 Systems. "Looking after their mental health and enabling them to feel positive...is to your competitive advantage." 

Sam's company runs phishing tests on its own employees. This controversial practice has been criticized for harming productivity while adding little to security, but 11:11 has a different goal in mind: to identify weaknesses, educate staff and, most importantly, emphasize that they shouldn't feel ashamed of making a mistake. 

"We would never blame somebody who was mugged," said Bronwyn. "We would never blame somebody that had their car broken into. And yet, for some reason, there's still quite a strong stigma of blame and shame in cyber incidents. 

"If I could take one phrase out of our lexicon, it would be ‘humans are the weakest link.' You just have to stop thinking like that... 

"With the technology available...any one of us can fall for a sophisticated attack. Taking that shame out of the equation is so important." 

Nick Ioannou, information security manager at Goodlord, has his own approach to tackling shame, which he calls "fraud huddles." 

"I reached out to everyone asking if anyone had been defrauded. Four people stepped forward... They were all engineers and product managers, highly technical and literate people. [It proved that] anyone can fall victim; anyone can be fooled. Showing that to everyone gave more people the courage to come forward." 

One of GoodLord's own founders was targeted in a spear phishing attack over Christmas: a story Nick shared with the company "to show even the founders could be a victim." 

"Attackers," said Bronwyn, "are relentless... The asymmetry between attack and defence is getting bigger and bigger." 

That's why more companies are formalising processes and removing the ability for managers to override security decisions. 

"Make sure nobody is ever reprimanded for saying, 'This is the correct process'," said Nick. 

"And don't take instructions for £26 million over Zoom," Bronwyn added.

This article originally appeared on our sister site Computing. 

You may also like
The 2024 MES Midmarket 100: Top Companies Serving The Midmarket

MES Research

MES Computing is proud to present this year's list of the key vendors and service providers serving the midmarket.

clock 07-15-2024 • 1 hour 20 min read
Access Point: Weekly News Roundup For IT Executives – July 12, 2024

Column

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers July 8-July 12.

clock 07-12-2024 • 1 min read
Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

Security

142 holes plugged this month

clock 07-12-2024 • 3 min read

More on Security

Malicious Python Packages Found Exfiltrating User Data To Telegram Bot

Malicious Python Packages Found Exfiltrating User Data To Telegram Bot

Appears to be part of a wider operation by crime gang based in Iraq, say Checkmarx researchers

John Leonard
clock 07-16-2024 • 2 min read
Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

142 holes plugged this month

John Leonard
clock 07-12-2024 • 3 min read
Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

The intrusion was restricted to internal systems, the company said.

clock 07-01-2024 • 2 min read